Google announced a new open source bug bounty program to tackle supply chain attacks. The latest bug bounty program will offer payouts from anywhere around $100 to $31,337 (a reference to eleet or leet) to secure the ecosystem from supply chain attacks.
The Open Source Software Vulnerability Rewards Program (OSS VRP), will be the first open source-specific vulnerability programs.
Google is responsible for several major open source projects. These include Angular, Bazel, Golang, Protocol Buffers, and Fuchsia. The new open source bug bounty program offers a cash reward to members of the public who find and share vulnerabilities or misconfigurations that could affect these projects.
Google will also welcome other projects you may have on public repositories such as GitHub and the libraries and frameworks that are used.
Criteria for Bun Hunters Submissions are as follows:
- Vulnerabilities that lead to supply chain compromise
- Design issues that cause product vulnerabilities
- Other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations
In light of a steady rise in attacks on supply chains (Maven, NPM, PyPI, RubyGems), open-source components have become critical. Third-party libraries are the building blocks of many software pieces and Beefing up these libraries has emerged as a top priority.
Log4Shell is a widely known and troublesome vulnerability that has caused havoc in the software supply chain.
According to Google’s Francis Perron and Krzysztof Kotowicz, “Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability.”
Google has recently increased the reward for finding privilege escalation exploits in the Linux kernel to be equal to that of finding an escape exploit.the maximum amount has increased from $50,337 to $91,337 until the end of 2022.
Earlier this year, Google announced that they’re going to make open source initiatives more secure.
China-linked APT40 gang targets Australian companies Maintaining Wind Turbine Fleets
New Cybersecurity Rules – UK Mobile and broadband carriers face fines of $117K/day or 10% of sales
Twilio Breach Compromised Authy Two-Factor Accounts of Some Users